coping with the not-so-calm after the storm
Keith Bird, senior vice-president EMEA at Proofpoint, explores what the chief information security officer (CISO) role entails in 2021
CISOs in 2021 and beyond need to lead the mitigation of rising cyber attacks.
If 2020 was the year the earthquake hit, 2021 is the year of the aftershocks. The initial challenge of deploying and securing remote environments at short notice has been largely overcome. Now, however, the CISO is faced with supporting these environments in the long term, in addition to hybrid environments, all the while deterring ever-more sophisticated cyber criminals emboldened by a year of disruption and uncertainty.
The result is a broad and varied threat landscape, with numerous attack methods focused on users in relatively new working conditions across a much larger attack surface. It’s little wonder that CISOs around the world are feeling the pressure.
UK CISOs are on high alert across a range of threats, and 81% of surveyed UK CISOs feel at risk of suffering a material cyber attack in the next 12 months, the highest percentage globally. What is even more concerning is that, despite knowing the risk, over half of UK CISOs – 68% – feel their organisation is unprepared to cope with a targeted cyber attack in 2021.
With the events of last year still fresh in the memory, these views may not come as a surprise to many. But as we all now look to move on from the pandemic, organisations must get a handle on the new threat landscape.
We need to understand who in our organisations is now most vulnerable to attack, the types of attack they are likely to face – and how everyone, from the CISO to the HR team, has a part to play in keeping those attacks at bay.
How to empower your chief information security officer (CISO)
Facing threats, old and new
Coming off a turbulent year, adapting to new working environments and behavioural norms, it’s not difficult to see why the CISO feels under considerable strain. And while the disjunct between awareness of cyber risk and preparedness for an attack is concerning, it is understandable.
Modern organisations face an array of potential threats, and cybercriminals continue to embrace them all, old and new. Of the attacks causing concern for over a third of UK CISOs right now are insider threats (37%), Cloud Account Compromise (34%), and DDoS attacks (34%). That’s along with supply chain attacks (33%) that continue to dominate news headlines and Business Email Compromise (30%).
There is no one-size-fits-all defence against such a varied threat landscape. While some tools and technical controls may protect against more than one style of attack, that is just one facet of effective cyber defence.
A modern cyber strategy must have security awareness training at its heart. And, for maximum impact, this training needs to be tailored and adaptive – not just to certain threats but also to the users who are on the front line. A lack of understanding about your most vulnerable users and the types of attacks they are likely to face makes it very difficult to prioritise a cyber defence strategy. And with hybrid working, flexible hours, and multiple access points now the norm, gaining that understanding is increasingly difficult.
Solving the people problem
Naturally, the challenges facing the modern CISO are not focused on one front. Those on the receiving end of cyber attacks are of just as much concern as those behind them.
More than half believe that users are the most significant risk facing their organisation. And just like the threats from the outside, there are several causing concern from within. Human error, criminal insider attacks and employees falling victim to phishing emails are just some of the issues keeping CISOs up at night.
With many users now out of sight, working remotely, at least some of the time, these concerns are more pressing than they may once have been. Nearly half of UK CISOs believe that remote working increases the risk facing their organisation. And it’s easy to see why.
Non-corporate environments tend to make us more prone to errors and misjudgement, and in turn, more vulnerable to cyber attack. Working from home also calls for slight alterations to security best practice. The use of personal networks and devices may require increased protocols and protections.
Unfortunately, remote working has made many organisations more vulnerable to targeted cyber attacks – with 60% of CISOs revealing they had seen an increase in targeted attacks in the last 12 months.
This needs to change, and fast. The disruption caused by the pandemic was never a standalone issue, and there is no return to normal. The way we work has been forever altered, and that’s no bad thing. As we reimagine office environments, empowering our people to take greater ownership of the way they work, we have an opportunity to do the same for cyber defence. To build strategies that acknowledge the vital role our people play in keeping our organisations safe.
How to inspire and empower your remote or hybrid workforce
Building a defence for a brighter future
The struggles of the CISO over the past year and a half have been widely documented. But despite the scale of recent challenges, many have a bright outlook for the years ahead.
UK CISOs believe they will be able to better resist and recover from cyber attacks by 2023. The top three priorities across the board for UK CISOs over the next two years include enhancing core security controls, supporting remote working, and improving employee cyber security awareness. While all are welcome, it is the latter that is cause for most celebration.
Whatever the physical or virtual characteristics of the workplace, people will always be at its centre. And, wherever they are, they are likely to remain squarely in the crosshairs of cyber criminals – with over 90% of cyber attacks requiring human interaction to succeed.
So, whatever the threats facing the CISO today, tomorrow, or two years from now, people form the vital last line of defence. Building this defence means creating a vigilant and knowledgeable workforce, whether in the office, at home, or anywhere else.
The more each user understands about the threats they face, the methods behind them, and how their behaviour can mean the difference between success and failure, the better able they are to protect your organisation from harm.
Ultimately, the role of the CISO in 2021 is not an easy one. No doubt, the years ahead will bring many challenges. But, knowing the central part they place in the vast majority of cyber attacks today, user awareness should no longer be one of them.